Kameleoon achieves ISO 27001 certification: Learn what this means from our Chief Information Security Officer

Over the last 12 months, we released a lot of technical features to ensure that Kameleoon users’ data is accurate and reliable. Parallel to delivering data accuracy-enhancing capabilities, we have been implementing new admin control options, processes, and tools to show our commitment to the highest level of information security.

As a capstone of over 12 months of effort, we are pleased to announce that Kameleoon is now ISO 27001 certified. 

What is ISO 27001? 

ISO 27001 is an information security standard for managing information security, defined by the International Organization for Standardization (ISO). ISO 27001:2013 sets a strict standard for information security by requiring an efficient approach for identifying, mitigating, and managing risks. This is accomplished by using the Plan/Do/Check/Act methodology implemented within an Information Security Management System. 

Obtaining an ISO 27001 certification means that every single aspect of our organization that contributes to securing client data is subject to a set of procedures meant to mitigate risks and continuously assess processes using bespoke KPIs (e.g., number of incidents per quarter, compliance score, etc.).

We asked Kameleoon’s Chief Information Security Officer, Jimmy Passemard, to share about the process of becoming certified and explain its impact on Kameleoon and our clients. 

Obtaining ISO 27001 certification involved a lot of preparation that touched all parts of the organization. How did you begin the process?

The process started with a comprehensive internal audit to assess the extent to which our organization complied with the standard. With that understanding, we devised a 6-month plan to “fill in the gaps” and get ready for the actual audit process.

We also re-evaluated our existing toolset, ranging from admin tools for monitoring to compliance tools for tracking our efforts. We wanted to align our tools with ISO expectations, which helped us implement our 6-month plan.

Those 6 months led up to the actual audit, which was conducted by Consilium Labs, an ANAB-accredited, independent association. Through evidence collection, they reviewed our policies and checked that the associated procedures were, indeed, implemented.

Fortunately, our leadership team was extremely supportive and committed to achieving this certification, which made a huge difference in enacting organization-wide changes. 

Did you encounter any major challenges throughout the implementation of the new processes?

The key to a successful ISO certification lies in traceability, in all actions across the organization. Traceability refers to our ability to track and record the details of how artifacts move through processes, and it requires a trustworthy infrastructure. 

Establishing traceability is a challenging task because it must involve every business function. Take employee onboarding and offboarding, for example. We needed to improve how we provisioned, communicated, and logged access and set up a scalable, streamlined process for awareness and security training. And we had to ensure that we made these processes easy to review and audit. 

What do you consider the most impactful change we introduced? 

Switching to Single Sign-On (SSO), including server access, might have been the most impactful change. We rely on a bare-metal hosting strategy, so we had to implement an access control policy that included SSH, or Secure Shell, in order to create a secure network communication protocol. Our SSH access needed to have the same level of auditability and security as an application that has native SSO integration. We decided to leverage Smallstep, an easy-to-use, top-level security solution to help us achieve this. 

With this system in place, newly onboarded technical personnel, like data engineers, can have access to all the required resources as soon as their email is created, and that access can be precisely controlled or revoked the moment the person is offboarded. 

What does this mean for Kameleoon’s customers?

First and foremost, the ISO 27001 certification will make it very easy for our customers to verify the security of Kameleoon as a vendor. Brands can feel confident that we offer the best and most secure services that adhere to international standards and that are recognized by an independent auditor. 

Simply put, having this certification means that we:

• implemented clear and effective measure to protect data
• developed a formal methodology and rolled out processes to assess the effectiveness of these measures and have the means to improve them, whenever possible
• have a global audit trail that stands up to a formal audit
• are prepared to immediately react to any emergency or suspicious situation with effective measures (e.g., shutting down access or restricting network connections, etc.)

Where can Kameleoon’s customers learn more about our organization’s security? 

I highly recommend taking a look at Kameleoon’s SecurityScorecard. This is a free, independent tool that provides customers with cybersecurity risk ratings. Internally, we also use SecurityScorecard as it allows us to be vigilant with insights into potential vulnerabilities and help us continuously assess our compliance with security best practices. 

You can review our ISO 27001 certificate below.

In addition to being ISO 27001 certified across all our solutions –Web Experimentation, Full Stack Experimentation, and AI-Driven Personalization,– Kameleoon is proud to be compliant with other major standards, including GDPR, CCPA, and HIPAA. Learn more on our Data Privacy & Security page.